nodemailer
npm4 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting nodemailerpage 1 of 1
- CVE-2020-7769HIGHCVSS 8.6EG 8.6✓ Fixed in 6.4.162020-11-12
This affects the package nodemailer before 6.4.16. Use of crafted recipient email addresses may result in arbitrary command flag injection in sendmail transport for sending mails.
- CVE-2021-23400MEDIUMCVSS 6.3EG 6.3✓ Fixed in 6.6.12021-06-29
The package nodemailer before 6.6.1 are vulnerable to HTTP Header Injection if unsanitized user input that may contain newlines and carriage returns is passed into an address object.
- CVE-2025-13033HIGHCVSS 7.5EG 7.5✓ Fixed in 7.0.72025-11-14
A vulnerability was identified in the email parsing library due to improper handling of specially formatted recipient email addresses. An attacker can exploit this flaw by crafting a recipient address that embeds an external address within…
- CVE-2025-14874HIGHCVSS 7.5EG 7.5✓ Fixed in 7.0.112025-12-18
A flaw was found in Nodemailer. This vulnerability allows a denial of service (DoS) via a crafted email address header that triggers infinite recursion in the address parser.
Check whether nodemailer is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for nodemailer CVEs against the assets you own.
Start Free Scan →